Snort



  • Hello all new to all this but I installed snort got my oink code...things are running right? How-ever now I don't know what should or should not be blocked I see alerts one of which is ((http_inspect no content-length or transfer-encoding in http response) Don't know if this is an issue and if so how do I block it. I did not set up to block anything because I am sadly ignorant as to what I should block...can anyone help me?



  • Your best bet is to look at what devices are triggering rules, don't enable blocking to start off with just alert then suck the alerts into a spreadsheet and look at the stats.

    They are disabled here:-

    Screenshot 2020-01-25 at 08.15.15.png

    FWIW I've disabled these:-

    HI_CLIENT_DOUBLE_DECODE
    HI_CLIENT_BARE_BYTE
    HI_CLIENT_IIS_UNICODE
    HI_CLIENT_UNKNOWN_METHOD
    HI_CLIENT_SIMPLE_REQUEST
    HI_CLIENT_UNESCAPED_SPACE_IN_URI
    HI_SERVER_NO_CONTLEN
    HI_CLISRV_MSG_SIZE_EXCEPTION

    SSL_INVALID_CLIENT_HELLO
    SSL_INVALID_SERVER_HELLO

    SIP_EVENT_AUTH_INVITE_REPLAY_ATTACK
    SIP_EVENT_MAX_DIALOGS_IN_A_SESSION



  • Hmmm I must have done something wrong in my setup...I a running this on my Wan side yours appears to be on your lan side.



  • I run it on both.

    If you have a host on your LAN causing issues you actually see the ip address of the host rather than the WAN ip address post nat.



  • Thanks I see...I actually have it running on my WAN side not my LAN. I'll set it up on my LAN side. Currently have the IPS policy set to security on the WAN side and just turned on blocking to see if it actually breaks my network. Don't think it's the best way to go about this but then I can open things up as they pop up.


Log in to reply